216.73.217.64

CVE-2026-41486

· Published 08/05/2026 22:16 · Modified 08/05/2026 22:16

Labels: CVE-2026-41486 2026-05-08CVE-2026-41486CWE-94[email protected]

Essential information

Published
08/05/2026 22:16
Modified
08/05/2026 22:16
Author
Creator
CVSS
8.9 HIGH (v3) 8.9 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ray / ray cpe:2.3:a:ray:ray:2.54.0-2.55.0:*:*:*:*:*:*:*

References